SBS 2003 CD’s

If anyone needs access to the SBS 2003 CD’s, I have them available on my NAS but credentials are required to download them.

Experts Exchange used to have a link in a thread advising people that I have them available, but someone (an Admin) has decided to delete the link / offer because they didn’t like it, so if you need them to repair an SBS 2003 server or to decommission one (you will need CD 2 to remove Exchange 2003 gracefully), then please get in touch with me and I’ll send you the details.

I seem to be about the only person in the world who has them available (clean, zipped .ISO images) and they are proving (still) to be very popular downloads.

Thought I would post about it here so that anyone needing them might be able to find me so they can get hold of them 🙂

Alan

Apple release iOS 6.1.1 to fix one bug but it doesn’t fix the bug with Exchange

After Apple released iOS 6.1 on the 28th January 2013, numerous people have complained of various issues with 3G connectivity, others have complained about battery life being reduced dramatically and more recently, Exchange servers around the world have been slowing down due to what appears to be a problem with the devices looping when Calendar Appointments are accepted on the iPhone / iPad.

Today Apple has released iOS 6.1.1 (only for the iPhone 4S) which seems to address the 3G issues, but it doesn’t fix the Exchange issues and Microsoft / Apple are working together on the problem to see if it is an Exchange issue or an Apple issue.

So whilst some can upgrade, not everyone can and even those that can upgrade, may well have to upgrade yet again when a new update is released that fixes the Exchange issue.

Exchange Admins all over the world are probably restricting access to their Exchange Servers for those who have upgraded to iOS 6.1 until they delete and re-create their Exchange Accounts and promise not to do anything with Exchange Calendar Appointments (in terms of Accepting / Declining etc). Once they have deleted and added their account back, the Admins may allow them back on the server as this is rumoured to ease the performance issues that the Exchange servers are suffering.

The iOS 6.1.1 release is 968Mb in size, so it isn’t a small download. If you are not suffering from battery / 3G issues, you may as well wait to see if there is a newer release and download that instead.

I for one (with my iPhone 4S), have only just upgraded to iOS 6.1 but won’t be updating to iOS 6.1.1 because I can’t face the hassle of Jailbreaking it all over again and re-install/configuring my Jailbroken apps so recently after Jailbreaking iOS 6.1, only having to do it again when 6.1.2 or 6.2 (or whatever comes next) is released to fix the problem, assuming it lies with Apple and not Microsoft.

Watch this space for more news as and when it becomes available.

Alan

Update WSUS to show Windows 8 Computers as Windows 8 not Windows XP

If you have a server running Windows Server Update Services 3.0 SP2 (SBS 2003 / SBS 2008 / SBS 2011 etc) and you also have some Windows 8 clients that you have joined to the domain, they will probably show up in WSUS as Windows XP Clients not Windows 8!

To resolve this, please install the following patch from Microsoft:

http://support.microsoft.com/kb/2734608/en-us

Once installed, you should see the Windows 8 clients reported as Windows 8.

Exchange 2003 Activesync HTTP 500 Error

Further to my Exchange 2003 / Activesync Troubleshooting Guide which can be found here, I was working remotely on a Windows 2003 Server with Exchange 2003 SP2 installed over the weekend having been asked to try and make Activesync work as they had read through my guide and not managed to get everything working properly.

Initially the server needed to have it’s DNS configuration fixed so that the server could talk to the Internet and allow me access, so once their IT department had resolved that issue I was given credentials and started to look at the problems on the server.

Checking the settings against my article, everything appeared to be set properly, but the test on the test site was throwing HTTP 500 errors (my least favourite!), so I followed Method 2 of KB883380 (remove and re-create the Exchange IIS Virtual Directories) and once they had been recreated and the IIS settings re-checked, I re-ran the test on the test site and still received the HTTP 500 error.  At that point I was debating a call to Microsoft, but started to check the Event logs on the server and saw various DNS related errors which were of some concern.

Outlook 2007 was also installed on the Exchange 2003 server, so I wasn’t convinced that I had a simple fix on my hands.

I ran the Exchange 2003 Best Practises Analyzer tool and that reported that Exchange could not be contacted, which suggested a DNS issue.  In the DNS logs there was an Event ID 800 error:

‘The zone <zone> is configured to accept updates but the A record for the primary server in the zone’s SOA record is not available on this DNS server. This may indicate a configuration problem. If the address of the primary server for the zone cannot be resolved DNS clients will be unable to locate a server to accept updates for this zone. This will cause DNS clients to be unable to perform DNS updates.‘

The suggested fix for this was to run dcdiag /fix followed by netdiag /fix and then to restart the Netlogon Service.  I did this but nothing changed.

Running the netdiag /fix threw up the following error:

DNS Error code: DNS_ERROR_RCODE_SERVER_FAILURE [FATAL] Failed to fix: DC DNS entry xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs.internaldomainname.local. re-registeration on DNS server ‘Server IP Address’ failed.

I checked the DNS zones and saw that both the _msdcs.internaldomain.local zone and internaldomain.local zones were not showing all that they should have been so I deleted both zones and recreated them manually (referring to another Windows 2003 server for the relevant entries.  Once all that could be manually created was created, I re-ran dcdiag /fix and netdiag /fix and still received the error above.

I then tried searching for a way to fix this problem but drew a blank.  Looking through the other event logs, I came across the following error in the System Log:

Event ID: 5788
Source: Netlogon
Description: Attempt to update Service Principal Name (SPN) of the computer object in Active Directory failed. The following error occurred: The attribute syntax specified to the directory service is invalid.

Searching for this error landed me here and upon checking the Computer Name / Domain Name,  I saw that the computer name was simply computername. not computername.internaldomain.local.  Never seen that one before.

Following the resolution in the MS article, I created a VB Script file and ran it on the server and rebooted.

Following the reboot, I re-ran the dcdiag /fix and netdiag /fix and the errors had gone.  In addition, some of the DNS records that I wasn’t able to create manually were magically back, so that seemed to have resolved the DNS issues – hurrah!

I then decided to re-test Activesync and happily received a complete pass on all tests – so now that Exchange could talk to itself, Activesync could actually work!

Running the Exchange Best Practices Analyzer again I was happy to see that Exchange could now talk to itself and the results showed a much happier server with only a few minor issues.

So – if you are seeing the dreaded HTTP 500 error and have gone through my Guide, followed KB883380 method 2 and still get the same error – it just might be a good idea to run the Exchange BPA and check your DNS settings are 100% happy.

Alan

SBS 2003 to SBS 2011 Migration Performed Remotely in Toronto Canada (from the UK)

Last night I started to perform a migration from SBS 2003 to SBS 2011 for a company in Toronto where Peter was going to be onsite to manage the migration from the local end.

The start time for me was 9:00pm (UK time) and prior to starting, I had asked Peter to make sure the SBS 2003 server was fully patched, had the Microsoft Baseline Configuration Analzyer tool installed (and to reboot the server afterwards), check that Exchange 2003 Service Pack 2 was installed and also that Small Business Server 2003 SP1 had been installed properly, something that quite often doesn’t get installed properly as it isn’t a simple download from Microsoft via Windows Update.

I also asked Peter to run a DCDIAG report (after installing the Windows Server 2003 Service Pack 2 32-bit Support Tools) to make sure that all was well and email me the results

The only item that needed fixing from the DCDIAG report was to set the Intersite Messaging Service to Automatic and Start the service, something that is quite often not set to Automatic on SBS 2003 from my experiecnce.

All being well, it was time to start the migration.  I asked Peter to insert the SBS 2011 DVD into the SBS 2003 server and then once fired up, we installed the Migration Preparation Tool (without installing any updates).

The SBS 2003 server was prepared happily, the Migration Answer File created and saved to a Memory Stick (USB Key) and then the server was rebooted.

It was then time to build the new server, and Peter had chosen an HP ProLiant DL360 G7 server (nice!).  To cut a long story short, there were a few problems with the build and after referring him to my other blog article here he happily created a bootable USB key with SBS 2011 on it and then rebuilt the server for a second time, this time more successfully.  Also on the USB Key with SBS 2011 as an .ISO image were the drivers for the RAID Controller and the SBS Answerfile.

After a few reboots and having changed the boot order so that the server would no longer boot from the USB Key after the initial Windows build, the server fired up into Migration mode and the Migration could start.

The settings chosen in the SBS Answer file were checked and verified, the Time Zone checked and verified (important to do this manually as the BIOS clock can be way off) and updates were not downloaded for the installation.

After a while, the server rebooted and we were logged in to the SBS 2011 server.  Time to create a new User as the Migration won’t work if you use the default Administrator account.

After the new Admin Account was created we logged off, then on again as the new user and fired up the SBS Console and clicked on the Migrate to Windows SBS link on the Home page.

Having created just a single partition, the first step of relocating the various components of SBS to another drive was skipped and we moved on to the Configure the Network Wizard.  With nothing much to do there apart from click a few buttons (DHCP was not on a router), the wizard completed and we moved onto the next step.

Configuring the Internet Address we selected the relevant domain name and changed the default prefix of ‘Remote’ to a preferred name and completed the wizard.  This failed initially and threw a few errors.  After a few minutes of head scratching and wondering why, I checked the Services and found a handful of Exchange ones not started!  After a bit of encouragement with my mouse, the services were started and the Wizard re-run, this time 100% happily.

At this point, it was time to pause the installation and visit Windows Update.  It was now about 5:40am (UK time) and caffeine had been working happily, but you need to draw the line somewhere and get some sleep, so having selected about 133 Windows Updates and kicked the updates off, I retired to bed as the world was waking up and the light outside was getting lighter 😦

We are planning to pick up the Migration again at 3:00pm UK time today and at the time of writing I am remotely connected to the server and busy installing a raft of other updates that are available and rebooting as and when required.  I have now done this about 3 times and the cupboard is now well and truly bare, so time for more caffeine and to wait for Peter to arrive on-site and then order the SSL certificate from www.exchange-certificates.com and get it approved before moving the mailboxes from the SBS 2003 server to the SBS 2011 server.

So, Peter arrived on site and we order a new SSL certificate from the site above, ran the New Certificate Wizard in the Exchange Management Console to generate a Certificate Signing Request (CSR), took the CSR to the certificate site and copied / pasted the contents into the relevant box and completed the certificate request process.  Now we just had to wait for the approval emails to arrive.  Prior to starting the migration, I had asked Peter to make sure that the Admin contact for the domain was still valid and that he had access to the email account that the Certificate Approval emails would be sent to – he was the Admin contact and thus we wouldn’t have any problems receiving and processing the Certificate Approval emails.

The next step in the migration was to move the mailboxes over from the old server to the new server and that is done via the new server using a “Local Move Request”.  We essentially highlighted all the User mailboxes and then clicked on the New Local Move Request.  We actually selected a few large mailboxes first and then the remainder which were smaller so that the larger ones started to be moved first.

Next was to move the Public Folders and that was simply a case of right-clicking the Public Folder Store and choosing “Move All Replicas”.  There weren’t many Public Folders so I expected this to be a quick process, but after an hour or so of watching the mailboxes move, the Public Folders hadn’t even started to move, so I checked the the SMTP Virtual Server settings and lo and behold, there was some Outbound Authentication that was set because they had previously setup a Smarthost on the SMTP Virtual Server (which I had already removed).  As soon as I removed the outbound authentication and restarted the SMTP Virtual Server, the Public Folders started to move over to the new server and after about 5 minutes, the Public Folder Instances were all empty 🙂

Next was to remove Legacy Group Policies and Logon Settings which essentially is the deletion of old SBS 2003 Group Policies and renaming the SBS_LOGON_SCRIPT.BAT file and removing references to it from ALL user profiles.

The next step in the migration was to setup a batch file to use Robocopy to copy all the User / Company data from the old server to the new server.  I looked at the shares on the old server and didn’t see anything that stood out as a Company Data folder, so asked Peter to identify the relevant data, which he did and I setup the batch file to copy the data he had identified as well as the User Data, which was obvious.

I decided to kick off the data copy batch file (run as Administrator) and then all we could do was sit and wait, so I suggested to Peter that he might like to go and have an extended lunch break and that I would monitor the Mailbox Moves and data copying remotely, then let him know when it was likely to have completed, so he could return to help with the final steps in the migration.

I emailed Peter and arranged for him to return to the office at 8:00pm Toronto time (1:00am UK time).  All the data and mailboxes had moved across by about 1:40am UK time so the next step was to Migrate Fax Data of which there wasn’t any, so we moved on to the next step which was to convert Users and Groups.  All users were assigned the new Standard User role and all Groups were selected and converted – all very simple stuff and quick to perform and by now, the finishing line was in sight.

Before removing Exchange 2003 from the SBS 2003 Server it was time to redirect port 25, 443, 987, 4125 and any other ports being used on the firewall to the new server.  Once completed, I could then remove the Routing Group Connectors that are installed to allow mail to flow between the Exchange 2003 and Exchange 2010 servers during the migration.

It was now time to remove Exchange from the old server by using the Add/Remove Programs, selecting the Small Business Server 2003 application and then running through the various screens until the installed options were visible, then setting Exchange to ‘Remove’ and finishing the wizard.  This process never normally removes exchange fully (in my experience), so I had to refer to an MS KB Article to manually remove the remaining components of Exchange (KB833396).

The final step is to run DCPROMO, but before we do, it is a good idea to check that the SBS 2011 Server is the holder of all FSMO roles.  I found a little file that allows me to do this without having to break sweat – don’t recall where it came from, but I am grateful to the creator.  You can download it from here dumpfsmos.zip.  Having run and verified that my FSMO roles were all held by the SBS 2003 server, I fired up DCPROMO and let it run, making sure I didn’t tick the box that says “This server is the last controller in the domain” as that would cause all kinds of havoc.

For some odd reason – every time I run this the first time, it always fails because the NETLOGON service has been stopped and it complains about it being stopped.  Well the DCPROMO process stops the NETLOGON service, so I am not sure why it gets confused, but it always does, so prepare for it to fail, then start the NETLOGON service up again and re-run DCPROMO again which on the 2nd time of running, will happily complete.

Once done, reboot the server, then login to the local server as the Administrator, using the password you specified during the DCPROMO process and once it is alive, shut it down and keep it handy in case you forgot to get some data from it.  MIGRATION COMPLETED!

The time that the migration was finished was about 3:30am UK time, so from start to finish, the entire process took about 30½ hours, but it has to be said that there was little data to be copied and the mailboxes were small.

The article that I used to guide me through the entire migration, which I will be asking Glen to tweak slightly with some items to make it even better than it is already can be found here.

If after reading it you don’t feel confident enough to tackle the migration yourself, I would be only too happy to assist you.  If you do feel confident enough then I hope your migration goes smoothly and completes quickly.

Alan

SBS 2003 to SBS 2011 Migration – 50Gb of Public Folders to Migrate took a week to migrate!

Having nearly completed yet another SBS 2003 to SBS 2011 Migration after the longest week of my life so far, I was amazed at how slowly the Public Folder Replica Move actually took to push 50Gb of data between the two servers.

Starting the project on a Monday and having the SBS 2011 server built by Monday afternoon (built virtually using Microsoft’s Hyper-V Server on a new HP ProLiant ML350 G6), I started to move the Exchange Mailboxes and then the Public Folder Replicas to the SBS 2011 server.  The network was originally running on a 10/100 Switch but I upgraded it to a Gigabit Switch on the Tuesday morning so that I had the maximum speed available and both servers had Gigabit cards in them.

At the end of the Tuesday, there were still dozens of Public Folders listed in the Public Folder Instances list in the Exchange System Manager, so I checked the SMTP Virtual Server Settings to see if there were any settings configured that might slow the process down and discovered several settings that would restrict the flow of emails.  The initial setting that I noticed was the “Limit session size to (KB):” setting.  This was limited to 40Mb and as some of the emails in the Public Folders were in the region of 30-40Mb in size, the session size was going to severely impact the flow of mail so I changed it to 1024000 (about 1Gb).

The other setting that I changed was the “Connection Timeout” value on the General Tab.  This was set to timeout after 10 minutes, so I increased the timeout to 2 hours, so that this wouldn’t cause any delays either.

I wasn’t unduly concerned at this point about problems with inbound mail and spammers clogging up the system as I had already installed a SAN/UCC SSL certificate (minimum 5 Domain Names) bought from www.exchange-certificates.com and had re-pointed port 25 to the SBS 2011 server.

So having made as many changes to the network and SMTP Virtual Server Settings (also restarting the Simple Mail Transport Service) I created a new Receive Connector on the SBS 2011 server to only receive mail from the IP Address of the SBS 2003 server and set the Maximum Message Size Limit to 50Mb and let the two servers talk to each other.

Sometime overnight on the Saturday after starting the migration, the whole 50Gb of Public Folders had migrated across to the SBS 2011 server and all the Public Folder Instances had disappeared!  A whole 5½ days later.

At one point during the PF Replication, I calculated that it was moving at about 500Mb per hour, so all in all, it was going to take in the region of 100 hours to move the entire database.

So – if you are planning a migration from SBS 2003 to SBS 2011 and you have a large Public Folder Database, don’t expect the migration to complete quickly.  Assuming the worst – a Public Folder Database with 75Gb of data in it, I would expect it to take about a week and a half just to push the data to the new server.

Happy migrating!

SBS 2003 Connect To The Internet Wizard Fails At Firewall Configuration

Today I was working on a problem where an SBS 2003 server was having issues re-running the Connect To The Internet Wizard whereby the Wizard started happily to re-configure the server but then failed at the Firewall configuration.  The server also had ISA Server 2004 installed.

The reason for re-running the wizard was because emails were not flowing properly out of the server and re-running the Internet Connection Wizard was a good place to start troubleshooting.  Because the Wizard was failing, it was a strong possibility that the Firewall / ISA server was causing the issue.

Having examined the ICWLOG.TXT file to see what might be causing the issue (from C:\Program Files\Microsoft Windows Small Business Server\Support) it showed the following errors:

Error 0x80070003 returned from call to Configuring IIS to listen only on the LAN().
Error 0x80070003 returned from call to CStingrayCommit::DoGeneralConfiguration().
Error 0x80070003 returned from call to Doing general configuration().
Error 0x80070003 returned from call to CStingrayCommit::CommitEx().

Doing some digging on the webs for an answer, I checked a few sites but drew a blank, then I found the following site (http://www.windows-server-answers.com/microsoft/Windows-Server-SBS/32257468/icw-fail-on-firewall-step.aspx) and it pointed me to check the registry for the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Intranet
the ‘companywebpath’ key showed this value:

IIS://LOCALHOST/W3SVC/4

Opening up IIS Manager, I then checked the IIS Website Identifier Value for the CompanyWeb site (see example image below) :
and saw that it was showing a different value, in this case it was showing ‘448260875’.

Going back to the Registry key, I then changed the ‘companywebpath’ value to 448260875 to mirror the IIS Website Identifier and then closed Regedit.

Upon re-running the Connect To The Internet Wizard again, it completed happily and normal outbound mail-flow resumed.

I am sure that this isn’t the only reason for the wizard failing at the firewall stage, but it is one thing to rule out that isn’t exactly obvious.

SBS 2011 – Error moving Microsoft Sharepoint Foundation data location

If you are in the middle of migrating from SBS 2003 to SBS 2011 and are trying to move the Microsoft Sharepoint Foundation data location on the SBS 2011 server and receive the following error:

“An error occurred while attempting to move the Microsoft Sharepoint Foundation database”

Please check to see that the ports in use on the SBS 2003 server are 80 and 444.  I was just trying to move the location and it kept failing.

After a few searches with no useful information being found, I checked a couple of other SBS 2003 servers that I have access to and saw that the one I was trying to migrate was using port 81 and 444, so I changed the port to 80, stopped and started the website and then tried the move again and this time it completed.

Exchange 2003 and Activesync Configuration and Troubleshooting

So, here is my guide to solving (most) Exchange 2003 and Activesync issues:

Pre-Requisites:

1. Make sure that you have Exchange Server 2003 Service Pack 2 Installed. Whilst Activesync will work with Exchange 2003 Service Pack 1, Service Pack 2 makes it a whole lot easier!

To check if you have it installed, open up Exchange System Manager (Start> Programs> Microsoft Exchange> System Manager). Then expand Servers, Right-Click your server and choose Properties. This will display whether you have SP2 installed or not.

If you do not have SP2 installed you can download it here – http://www.microsoft.com/downloads/details.aspx?FamilyID=535BEF85-3096-45F8-AA43-60F1F58B3C40&displaylang=en

2. Ensure that TCP Port 443 is open (and forwarded) on your firewall to your Exchange server. You don’t need to open up any other ports to get Activesync working, just TCP port 443. You can check this on your Exchange Server at http://www.canyouseeme.org and you should see ‘Success’ if the port is open and forwarded correctly. If it isn’t open and forwarded, check your router and make sure you have the settings configured correctly.

3. Please check the LAN Adapter Binding order to make sure the NIC that Exchange is bound to is at the top of the list (Start> Run> [type] ncpa.cpl [press enter]> Advanced> Advanced Settings> Connections).

4. Open up IIS Manager (Start> Programs> Administrative Tools> Internet Information Services (IIS) Manager), expand ‘Web Sites’ then ‘Default Web Site’ then right-click on the relevant Virtual Directory (see below) and choose properties, then click on the Directory Security Tab):

Exchange 2003 (Not part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Exchange 2003 (Part of Small Business Server):

Exchange Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany*
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

Microsoft-Server-Activesync Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Exchange-oma Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Restricted to IP Address of Server
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

OMA Virtual Directory
• Authentication = Basic
• Default Domain = NETBIOS domain name – e.g., yourcompany*
• Realm = NETBIOS name
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption NOT ticked

Public Virtual Directory
• Authentication = Integrated & Basic
• Default Domain = NetBIOS domain name – e.g., yourcompany* (no more than 15 characters)
• Realm = yourcompany.com
• IP Address Restrictions = Granted Access
• Secure Communications = Both Require SSL and Require 128-Bit Encryption IS ticked (very important)

The Domain / Realm parts can be left as “\” for the Domain and Blank (empty) for the Realm.  MS recommend it this way, but I have fixed some servers by adding the Domain / Realm as per the settings above.

* yourcompany can be determined by opening up a command prompt (Start> Run> [type] cmd [press enter]) and then typing ‘SET’ and pressing enter. The variable ‘USERDOMAIN’ is the info you should use for ‘yourcompany’. Most often – this is not required, but I have seen instances where simply adding this info has made Activesync work.

5. ASP.NET should be set to version 1.1 for all virtual directories listed above. If you cannot see the ASP.NET tab, you only have v 1.1 installed so do not worry. If any version other than 1.1 is selected, please change it to v 1.1.4322.

6. Make sure that you have HTTP Keep-Alives enabled. Right-Click on the Default Web Site and choose Properties. On the Web Site tab, in the Connections section, click the Enable HTTP Keep-Alives check box and click OK

7. Check that Ignore Client Certificates is selected under the IISADMPWD virtual directory / Directory Security Tab / Edit Secure Communications Button. This Virtual Directory may not exist if you have not setup the ability to reset passwords via Outlook Web Access (OWA). If it is not there – no worries.

IPV6
Please make sure that IPV6 is NOT installed on your server as this is known to break Activesync. (Start> Run> [type] ncpa.cpl [press enter]) Right-click on your Local Area Network Connection and choose Properties. Look under ‘This Connection Uses The Following Items:’ for Internet Protocol (TCP/IP) v6 – if it exists – uninstall it and reboot.

8. Ensure that the IP for the Default Website is set to All Unassigned and using port 80 (open up IIS manager, Right-Click the Default Website and choose properties, then on the Advanced button).

If your default website is using any port other than port 80, it simply will not work, so if you have changed this to make something else work, either change it back to port 80 or stop trying to use Activesync! Also make sure that you are not using any Host Headers on the Default Website (or any other website that you happen to have running that uses the same Host Header name that you are using on your SSL certificate) because this can/will also break Activesync.

If you make any changes to IIS, you will need to reset IIS settings. Please click on Start, Run and type IISRESET then press enter.

SSL Certificate
Make sure that the name on the SSL certificate you have installed matches the Fully Qualified Domain Name (FQDN) that you are connecting to for ActiveSync – for example, mail.microsoft.com. To check, right-click on the Default Web Site in IIS, choose Properties, click on the Directory Security Tab and then on the View Certificate Button.

If it does not match, either re-issue the certificate if you created it yourself, or re-key the certificate from your SSL certificate provider.

If you have a Small Business Server and don’t want to buy a 3rd Party SSL certificate, just re-run the ‘Connect To The Internet Wizard’, (Start> Server Management> To-Do List> Connect to the Internet).

Click Next. If the Wizard detects a Router – click No to leave the configuration alone.

Make sure ‘Do not change connection type’ is selected and click Next.

Leave the Web Services Configuration Settings as they are and click Next.

Select ‘Create a new Web server certificate’ and enter a ‘Web server name’ e.g., mail.yourdomain.com and click Next.

Select ‘Do not change Internet e-mail configuration’ and click Next.

Click Finish to complete the Wizard

If you have Windows Mobile Phones, Activesync is much easier to get working with a purchased SSL certificate. If you have a self-created SSL certificate and use Windows Mobile Phones, you will have to install the SSL certificate onto each and every Windows Mobile Phone that you want to use with your Exchange 2003 server. If you only have a handful of devices, then it won’t take long to do, but if you have dozens, a £30 1-Year SSL certificate is probably a very good investment. You can purchase a cheap, trusted SSL certificate from http://exchange-certificates.com that will work happily.

Windows Mobile Phone / iPhone Settings:

Email Address: Your Users Email Address
Server: Whatever name you have on your certificate e.g., mail.yourdomain.com (do not add /exchange or /oma or /anything)
Domain: Your internal Domain Name e.g., yourdomain (maximum 15 characters)
Username: Your Username e.g., User123
Password: The CORRECT password!
Description: Whatever you want to call the Account

Testing:

If you have got SP2 installed, check on https://testexchangeconnectivity.com to see if everything is working properly by running the Exchange Activesync check. The site is an official Microsoft site specifically for testing Exchange installations and connectivity.

Please select ‘Specify Manual Server Settings’ (Exchange 2003 does not have native Autodiscover enabled so using the Autodiscover settings will fail).

3rd Party SSL Certificate:

Do NOT check the “Ignore Trust for SSL” check box

Self-Certified SSL Certificate:

Check the “Ignore Trust for SSL” checkbox.

If you are trying to make an iPhone work, then you can also download the free iPhone App ‘Activesync Tester’ and this should identify any problems with your configuration, or download the version for your PC from https://store.accessmylan.com/main/diagnostic-tools

Various Activesync Errors / Solutions:

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Activesync Error 0x86000108:

Activesync is unsuccessful and you see the error 0x86000108 on your Windows Mobile Device:
Please read the following MS Article which checks that Authenticated Users has write permissions to the %TEMP% directory (usually c:\windows\temp) – http://support.microsoft.com/kb/950796/en-us

Application Event Log 3005 Errors:

A lot of 3005 errors can be resolved by changing the Default Website Timeout value from 120 (default) to something greater, such as 480 using IIS Manager.
For Small Business Server 2003 Users – please read this MS article – http://support.microsoft.com/kb/937635

Inconsistent Sync:

If you are getting inconsistent Synchronisation from your device to your Exchange 2003 server, please add the following registry key to the server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeIS\VirusScan
ProactiveScanning REG_DWORD 1

HTTP 401 Error:

If you are getting an HTTP 401 error when testing on https://testexchangeconnectivity.com then you are probably entering an incorrect username or password, or you may have IP Address restrictions setup on your virtual directories (see IIS Settings above under prerequisites).

HTTP 403 Error:

Ensure that Forms Based Authentication is NOT turned on under Exchange Virtual Server under Exchange Protocols (Exchange System Manager, Servers, Protocols, HTTP, Exchange Virtual Server properties, Settings Tab). If it is – please read http://support.microsoft.com/kb/817379 and create an exchange-oma virtual directory following the instructions in the KB article.

I have had Activesync work despite seeing “An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is:

HTTP/1.1 403 Forbidden

” at the end of the test above. To resolve this (if you like things tidy), please open up Exchange System Manager, Global Settings, Mobile Services Properties, Device Security Button, Exceptions Button, then add your account to the exceptions list.

I have also seen the 403 error resolved by running:
eseutil /p
eseutil /d and
isinteg -s servername -fix -test alltests (at least twice)

Check to see if Activesync is enabled globally on your server – http://technet.microsoft.com/en-us/library/bb125073(EXCHG.65).aspx

Also check to see if it is enabled on a user by user basis – http://technet.microsoft.com/en-us/library/aa997489(EXCHG.65).aspx

HTTP 500 Error:

If you still cannot get Activesync to work or keep getting an HTTP 500 error, please follow Method 2 in Microsoft Knowledgebase Article KB883380 and this should resolve the issues. This essentially deletes the Exchange Virtual Directories from the IIS Metabase (which can be corrupted) and rebuilds them. When deleting the Exchange virtual Directories, please also delete the Exchange-OMA virtual directory if it exists. Rebuilding those virtual directories often clears up problems that all the other steps above do not resolve.

If, after following KB 883380, Activesync still does not work and it keeps coming up with HTTP 500 errors, please do the following:

• Disable Forms Based Authentication – Exchange HTTP Protocol (if enabled)
• Remove SSL settings from the Exchange IIS virtual directory
• Run iisreset
• Test Activesync without SSL selected – hopefully this should work or give the OK result
• If okay – right-click on the Exchange Virtual Directory and select all Tasks> Save Configuration to a file. Name the file Exchange and save to the desktop
• Run Regedit (and be extremely careful here as you can kill your server very easily) then right-click on My Computer and select Export. Name the file as ‘EntireRegistry’ and save the backup of the registry to the desktop
• In regedit – locate HKLM \ System \ CurrentControlSet \ Services \ MasSync \ Parameters and delete the ExchangeVDir key from the right-hand pane.
• Close Regedit
• Right-click on the default-website and select New> Virtual Directory fom File. Browse to the desktop and click on the Exchange.xml that you created above, then click on Read file, select Exchange from the ‘Select a configuration to import’ section and click on OK. Select ‘Create a new virtual Directory’ and name the directory ‘exchange-oma’ and click OK.
• Right-click on Exchange-OMA virtual directory you just created and click Browse – you should see OWA open up happily
• Open Regedit and add the ExchangeVDir key back that you recently deleted as a String Value and then change the value to read /exchange-oma
• Close regedit
• Enable SSL and require 128-Bit Encryption on the Exchange Virtual Directory to ensure it is secure once again
• Enable Forms Based Authentication (if you want to use it) on Exchange > Protocols> HTTP
• Make sure that Integrated Authentication is enabled on the Exchange Virtual Directory
• Check that the Exchweb virtual directory does not have SSL enabled
• Run iisreset
• Test Activesync – it should hopefully be working now!

If the above fails, please check you event logs for Event ID 9667 – Source MSExchangeIS. If this event exists, please have a read of MS KB820379

In a recent question on Experts-Exchange.com, I was advised that running the following command against the unmounted database solved an HTTP 500 error, so if you are still having issues, please try running the integrity check (from a command prompt):

Isinteg –s servername –fix –test alltests

Select the dismounted database and let the check run. If you see 0 errors and 0 fixes, then all is well. If not, please re-run the test until you do (as many times as it takes – two usually is ufficient).

If you are still reading this article and are still seeing HTTP 500 errors, then we need to check the settings on the EXCHWEB Virtual Directory in IIS Manager.

Exchweb Virtual Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth Directory
• Authentication = Anonymous
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

Exchweb \ Bin \ Auth \ USA Directory
• Authentication = Basic
• Secure Communications = Require SSL and Require 128-Bit Encryption NOT ticked

REMEMBER – If you make any changes to IIS settings, please run IISRESET and re-visit https://testexchangeconnectivity.com and re-run the test.

Recently added HTTP 500 Error solution for a server I worked on.

Hopefully if you are now at the bottom of my article, your mobile phones should now be synchronising happily. If that is not the case, please review your IIS Settings carefully and start at the top of this article again.

RECENT UPDATE (10/01/12) – A piece of software called [url=”http://fspro.net/hide-folders/”%5DHide Folders 2009[/url] has been found to install a service called “FSPRO Filter Service” and a dll called FSPFltd.sys (in c:\windows\system32\drivers).  This program breaks Activesync.  If you have Activesync part working / part not working, please check your server for this software and if it is there – disable the service, move / delete the .dll file and restart your server.  Once restarted, Activesync should return to normal functionality!

RECENT UPDATE (29/05/12) – Please make sure that the server does not have Microsoft Security Essentials installed as this will break Activesync.  If you find it is installed – please uninstall it.

Recent Update (10/07/13) – DO NOT INSTALL programs such as Disk Keeper on any server running Exchange as it too will break Activesync!

If you are still not working – then you will probably have to call Microsoft to get support from them as something else not covered by this article is causing your problems.

So, in summary, you have reviewed and checked the settings in IIS to ensure that Activesync will work on your Exchange 2003 server, you have made sure that you have Exchange 2003 Service Pack 2 installed and you have run a test to make sure that your server is responding happily and by now, your iPhones and Windows Mobile phones should be happily synchronising.

Having got this far – and hopefully fixing your problems – if you have found this article helpful, please vote for it at the top of the page : )

* * * Please rate this article below if you have found it helpful * * *